Chamilo LMS Privilege Escalation: Student to Admin in a Snap

The National Vulnerability Database (NVD) recently detailed CVE-2026-40291, a high-severity vulnerability impacting Chamilo LMS versions prior to 2.0.0-RC.3. This isn’t just another bug; it’s a critical insecure direct object modification flaw that lets any authenticated student user elevate their privileges straight to administrator status. We’re talking full platform control, access to all courses, user data, grades, and the whole admin toolkit.

The exploit targets the PUT /api/users/{id} endpoint. According to the NVD, the API Platform’s security expression is_granted('EDIT', object) only verifies record ownership, which is a significant oversight. Coupled with the roles field being included in the writable serialization group, it creates a wide-open door. Any user can simply modify their own user record and assign themselves arbitrary roles, including ROLE_ADMIN. This is a classic case of insufficient authorization leading to a complete bypass of security controls, rated 8.8 on the CVSS scale. The good news is that Chamilo LMS has addressed this issue in version 2.0.0-RC.3.